Systems for local network security

ABSTRACT

Security systems for computers connected to networks transmitting packets are disclosed. One disclosed system includes a security agent and a local security device featuring a network hardware connector, a computer hardware connector, a flash memory and a microprocessor to perform a software instruction. The security agent closes the security device by altering a setting of a bit of the flash memory. Further disclosed is a firewall on a single chip for providing security to a network transmitting packets. The firewall includes a network hardware connector, a memory for storing a rule and a software instruction for examining each packet and a microprocessor. Preferably the rule is configurable by a user and the memory includes at least one displayable Web and Web server functionally for serving a Web page and accepting a command from a user such that said at least one rule is determined by the command.

FIELD AND BACKGROUND OF THE INVENTION

The present invention relates to a system and method for providing localnetwork security, and in particular, to such a system and method inwhich the security is provided through a hardware device for filteringcommunications received through the network by an individual computer.

The security of information is extremely important for modem society,particularly since the advent of the Internet. Unauthorized exposure ofsuch information, and/or unintended or unauthorized use of informationmay significantly damage organizations and individuals. Damage may alsobe caused by lost, corrupted or misused information. Thus, appropriatesecurity measures are required in order to protect information from suchdamaging actions, while still maintaining the availability of suchinformation to authorized individuals and/or organizations.

Currently, flexibility and ease of access to information are highlyvalued, particularly through the Internet and organizational intranets,which provide connections between computers through a network. Accessinginformation through a network enables users at physically separatelocations to share information, but also increases the possibility ofunauthorized or unintended access to the information. Various attemptsto provide a solution to the problem of security for electronicallystored information are known in the art, but all of these attemptedsolutions have various drawbacks.

For example, a “firewall” is a software program or hardware device whichattempts to provide security to an entire network, or to a portionthereof, by filtering all communication which passes through an entrypoint to the entire network or the portion of the network.Unfortunately, currently available firewalls have a number ofdisadvantages. The placement of the firewall at the entry point to thenetwork being protected is designed to regulate access to that network.However, since many large organizations have multiple networks, such afirewall may effectively block legitimate access within the organizationitself to members of the organization. On the other hand, a firewallcannot protect against unauthorized access within the network by amember of the organization, since the firewall only protects the entrypoint to the network. Thus, currently available firewalls may both blocklegitimate access to a network and fail to block unauthorized access tothe network.

A more effective solution would regulate access locally for eachcomputer attached to the network, such that each computer would beprotected individually, while still permitting centralized control forall of the computers in the network. Such a combination of individualprotection and centralized control would solve both of the problemsdescribed previously, in that legitimate access within an organizationwould be permitted, while unauthorized access by a member of theorganization could be blocked. Unfortunately, such a solution is notcurrently available.

There is thus a need for, and it would be useful to have, a system and amethod for local security for each computer connected to a network,which would provide individual protection for each computer againstunauthorized access and yet which would still permit authorized accesswithin an organization.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects and advantages will be betterunderstood from the following detailed description of a preferredembodiment of the invention with reference to the drawings, wherein:

FIGS. 1A and 1B are schematic block diagrams of different embodiments ofan illustrative system according to the present invention;

FIG. 2 is a schematic block diagram of an illustrative system withmultiple security agents according to the present invention; and

FIG. 3 is a schematic block diagram of an exemplary local securitydevice according to the present invention.

SUMMARY OF THE INVENTION

The present invention is of a system and a method for distributed, localnetwork security. Each computer connected to a network is provided witha local security device. The local security devices are configured by asecurity agent in order to determine filtering rules at each computer.When a user wishes to connect to the network, an authenticationprocedure is performed with the security agent. If the procedure issuccessful, then the user receives a set of privileges, or access rules,according to which packets sent by the computer operated by the user areeither permitted or denied access to computers connected to the network.Preferably, access is also determined according to different functionsof application software programs, such that a user may be permitted toperform only certain functions on a computer connected to the network.

According to other preferred embodiments of the present invention, theuser is able to interact with the local security device through one ormore Web pages served by the local security device. Also preferably, thelocal security device is configured as a “firewall on a chip”, such thatthe local security device is implemented as firmware. Additionally, thepresent invention also provides for a system with multiple securityagents, thereby enabling a user to interact with different computers ondifferent sub-networks without requiring different user accounts. Also,the present invention is able to provide virtual private networks, suchthat computers connected to a physical network can be grouped indifferent virtual sets without reference to direct physical connectionsbetween the computers. Thus, the method and system of the presentinvention are able to provide flexible network security at the locallevel.

According to the present invention, there is provided a system forlocal, distributed security for a computer connected to a network, thenetwork transmitting packets to and from the computer, the systemcomprising: (a) a local security device for connecting the computer tothe network and for examining each packet to determine whether thepacket is received by the computer according to at least one rule; and(b) a security agent for determining the at least one rule for the localsecurity device.

According to another embodiment of the present invention, there isprovided a firewall on a single chip for providing security to anetwork, the network transmitting packets, the firewall comprising: (a)a network hardware connector for connecting to the network; (b) a memoryfor storing at least one rule and for storing at least one softwareinstruction for examining each packet; and (c) a microprocessor forperforming the at least one software instruction for examining eachpacket to determine whether the packet is transmitted according to theat least one rule.

According to yet another embodiment of the present invention, there isprovided a method for determining access by a user to a network througha user computer, the network transmitting packets, the method comprisingthe steps of: (a) providing a local security device for filtering thepackets according to at least one rule, the local security device beingconnected to the network; (b) receiving an identifier from the user; (c)determining the at least one rule according to the identifier; (d)receiving a packet from the user computer by the local security device;and (e) examining the packet by the local security device to determinewhether the packet is given access according to the at least one rule.

Hereinafter, the term “network” refers to a connection between any twocomputers which permits the transmission of data. Hereinafter, the term“computer” includes, but is not limited to, personal computers (PC)having an operating system such as DOS, Windows™, OS/2™ or Linux;Macintosh™ computers; computers having JAVA™-OS as the operating system;and graphical workstations such as the computers of Sun Microsystems™and Silicon Graphics™, and other computers having some version of theUNIX operating system such as AIX™ or SOLARIS™ of Sun Microsystems™; orany other known and available operating system, including operatingsystems such as Windows CE™ for embedded systems, including cellulartelephones, handheld computational devices and palmtop computationaldevices, and any other computational device which can be connected to anetwork. Hereinafter, the term “Windows™” includes but is not limited toWindows95™, Windows 3.X™ in which “x” is an integer such as “1”, WindowsNT™, Windows98™, Windows CE™ and any upgraded versions of theseoperating systems by Microsoft Inc. (Seattle, Wash., USA).

Hereinafter, the term “user” is the person who operates the GUIinterface and interacts with software implemented according to thepresent invention.

Hereinafter, the term “Web browser” refers to any software program whichcan display text, graphics, or both, from Web pages on World Wide Websites. Hereinafter, the term “Web page” refers to any document writtenin a mark-up language including, but not limited to, HTML (hypertextmark-up language) or VRML (virtual reality modeling language), dynamicHTML, XML (extended mark-up language) or related computer languagesthereof, as well as to any collection of such documents reachablethrough one specific Internet address or at one specific World Wide Website, or any document obtainable through a particular URL (UniformResource Locator). Hereinafter, the term “Web site” refers to at leastone Web page, and preferably a plurality of Web pages, virtuallyconnected to form a coherent group. Hereinafter, the term “Web server”refers to a computer or other electronic device which is capable ofserving at least one Web page to a Web browser.

The present invention could be described as a series of stepsimplemented by a data processor, such that the present invention couldbe implemented as hardware, software or firmware, or a combinationthereof For the present invention, a software application could bewritten in substantially suitable programming language, which couldeasily be selected by one of ordinary skill in the art. The programminglanguage chosen should be compatible with the computer according towhich the software application is executed. Examples of suitableprogramming languages include, but are not limited to, C, C++ and Java.

DETAILED DESCRIPTION OF THE INVENTION

The present invention is of a system and a method for distributed, localnetwork security. Each computer connected to a network is provided witha local security device. The local security devices are configured by asecurity agent in order to determine filtering rules at each computer.When a user wishes to connect to the network, an authenticationprocedure is performed with the security agent. If the procedure issuccessful, then the user receives a set of privileges, or access rules,according to which packets sent by the computer operated by the user areeither permitted or denied access to computers connected to the network.Preferably, access is also determined according to different functionsof application software programs, such that a user may be permitted toperform only certain functions on a computer connected to the network.

According to other preferred embodiments of the present invention, theuser is able to interact with the local security device through one ormore Web pages served by the local security device. Also preferably, thelocal security device is configured as a “firewall on a chip”, such thatthe local security device is implemented as firmware. Additionally, thepresent invention also provides for a system with multiple securityagents, thereby enabling a user to interact with different computers ondifferent sub-networks without requiring different user accounts. Also,the present invention is able to provide virtual private networks, suchthat computers connected to a physical network can be grouped indifferent virtual sets without reference to direct physical connectionsbetween the computers. Thus, the method and system of the presentinvention are able to provide flexible network security at the locallevel.

The principles and operation of a method and system according to thepresent invention may be better understood with reference to thedrawings and the accompanying description, it being understood thatthese drawings are given for illustrative purposes only and are notmeant to be limiting.

Referring now to the drawings, FIG. 1A is a schematic block diagram of afirst exemplary configuration of a system 10 for distributed, localnetwork security according to the present invention, while FIG. 1B is aschematic block diagram of a second exemplary configuration of system10.

System 10 features an organizational network 12 protected by a securitygateway 14. According to the background art, security gateway 14 is asimple firewall, as described for example in U.S. Pat. No. 5,606,668,incorporated by reference as if fully set forth herein as a descriptionof a background art firewall. Such a firewall would filter incomingpackets to organizational network 12 in order to determine whether thepackets should be allowed to enter. The process of filtering the packetincludes the steps of reading the header of the packet, for example inorder to determine the MAC or IP layer addresses, and then comparing theinformation contained within the packet header to a list of rules.Access is either permitted or denied to the packet according to theserules.

According to the present invention, although security gateway 14 mayoptionally contain a firewall 16 according to the background art,preferably security gateway 14 only contains a security agent 18according to the present invention. Security agent 18 does not itselffilter packets to provide network security. Rather security agent 18controls at least one, and preferably a plurality of, local securitydevices 20. Each local security device 20 is connected to a computer 22as shown. According to a preferred embodiment of the present invention,local security device 20 is implemented as a hardware network interfacecard, such as an Ethernet card for example. Thus, the heavycomputational overhead required by background art firewalls is shiftedaway from computer 22 and onto local security device 20.

Local security device 20 filters all incoming packets to computer 22 asdescribed above for background art firewalls. The list of rules, ordeclarations, which are required for filtering the incoming packets isdetermined at least partially by security agent 18. Optionally andpreferably, the declarations are also at least partially determinedaccording to the user operating computer 22. Thus, the security forcomputer 22 is more preferably controlled both locally, by the useroperating computer 22, and centrally, by security agent 18.

The type of filtration of packets provided by local security device 20for computer 22 is preferably variable according to a number ofdifferent characteristics, as known in the art for firewalls. Forexample, preferably local security device 20 is capable of filteringpackets according to both addresses and protocols. Examples of differenttypes of addresses include, but are not limited to, network layeraddresses such as IP (internet protocol) addresses, and data link layeraddresses such as MAC (machine access control) addresses. A preferredexample of a MAC address is an Ethernet address for an Ethernet orEthernet-compatible network card. By filtering packets according to suchan address, local security device 20 determines from which originationaddress packets are accepted. As described in greater detail below,security agent 18 sends instructions to local security device 20 todetermine the originating address or addresses from which packets areaccepted. These instructions are intercepted as packets by localsecurity device 20, which is able to determine that the packets areaddressed as commands to itself and to follow the commands containedwithin the packets. Thus, even though each local security device 20actually filters the packets to be accepted to computer 22, the rulesare preferably at least partially determined by security agent 18.

One example of a protocol according to which packets could be filteredis the TCP (transmission control protocol) which is a transport layerprotocol. Packets could also optionally be filtered according to othersuch transport layer protocols, such that particular commands orfunctions performed by individual software applications can be detected.For example, filtering through TCP enables local security device 20 topermit access to a packet for the “get” command of FTP (file transportprotocol) software application but not to the “put” command.Furthermore, optionally local security device 20 could combineinformation from both the address and the protocol for a packet, suchthat a user might be permitted to perform a particular command for asoftware application when sending packets from only one address, forexample. Thus, the security rules according to which local securitydevice 20 filters a packet are preferably flexible.

Security agent 18 preferably controls two sets of rules for providingsecurity to each computer 22. As noted previously, the first set ofrules is the list of declarations according to which packets arefiltered by local security device 20, which is preferably at leastpartially controlled by the user operating computer 22. The second setof rules is the list of access permissions for each user wishing to gainaccess to any part of organizational network 12. This set of accesspermissions is preferably controlled completely by security agent 18,and includes two types of information.

The first type of information concerns the authentication procedurerequired for a user to access organizational network 12. The useroperates computer 22 and enters identification information through asoftware interface on computer 22. Such identification informationincludes, but is not limited to, a password, swiping a smart cardthrough a smart card reader attached to computer 22, or any type ofbiometric information such as a fingerprint, retinal print and so forth.This identification information is then preferably encrypted by localsecurity device 20 and sent to security agent 18. In addition,preferably local security device 20 and security agent 18 exchangesecret keys in a handshake procedure. Such a handshake procedure couldbe any type of procedure which is well known in the art, such as SSL(secure socket layer), RSA, Diffie-Hellman and so forth (R. L. Rivest etal., Communications of ACM, 1978, 21:120-126; W. Diffie and M. E.Hellman, IEEE Transactions of Information Theory, 22:644-654, 1976). Forexample, in a bi-directional challenge-response protocol, such as theKerebos protocol, a series of messages are exchanged between localsecurity device 20 and security agent 18. At least one message in theseries with known content is encrypted with a secret key, held by bothlocal security device 20 and security agent 18. The key itself is nottransmitted, such that local security device 20 and security agent 18are able to perform mutual authentication according to their ability todecrypt the message. Thus, preferably both the user operating computer22 and local security device 20 attached to computer 22 areauthenticated during the authentication procedure with security agent18.

Once security agent 18 has authenticated the user and local securitydevice 20, security agent 18 then determines privileges for the user.These privileges are the access rules for that user, which arepreferably sent to local security device 20. The user cannot alter theseprivileges, thereby preventing an unauthorized user from changing theprivileges and becoming a root user in a Unix-based operating system,for example. Thus, preferably only security agent 18 can determine theprivileges, or access rules, for each user.

The access rules are preferably also sent to all local security devices20 attached to computers 22 in organizational network 12, in order todetermine whether each local security device 20 should accept aparticular packet. For example, a user operating a particular computer24 may not be permitted access to any computer 22 attached to a virtualprivate network (VPN) 26. Local security devices 20 connected to allcomputers 22 of VPN 26 would therefore be configured in order to preventsuch access. However, optionally the user operating computer 24 might bepermitted access to one computer 28 of VPN 26. Such access to a singlecomputer is possible through the present invention, since security agent18 would only need to instruct local security device 20 attached tocomputer 28 to permit access by packets from computer 24. By contrast,background art firewalls would not be able to provide such precise,targeted access, but would instead only be able to filter all access toVPN 26. Thus, the present invention provides both precision andflexibility for determining security of a network, as well as protectingboth virtual networks and physical networks.

If the authentication procedure fails for a user operating a particularcomputer 22 with a particular local security device 20, then preferablysecurity agent 18 directly closes all access through that local securitydevice 20, such that no packets are sent or received through that localsecurity device 20. Optionally, security agent 18 also sends a messageto a network administrator, indicating that the authentication processhas failed. Preferably, security agent 18 closes access by altering oneor more functions of local security device 20, which more preferablyincludes at least one hardware function, as described in greater detailbelow for FIG. 3.

FIG. 1A shows another preferred embodiment of the present invention forpermitting access to a computer 36 which is physically connected toorganizational network 12 through some type of dial-up connection 38.Such access is currently difficult to control in a secure manner throughbackground art security solutions. Indeed, such access is a favoredtarget for “hackers”, since these unauthorized users can more easilybypass background art security solutions through either direct dial-upconnections, such as modem to modem connections through the POTStelephony network, or through dial-up connections through the Internet.Both of these connections are described herein as “dial-up connections”.

According to the present invention, computer 36 is provided with a localsecurity device 20 and a modem 40 for connecting to dial-up connection38. The user enters the required identification information aspreviously described. Local security device 20 and security agent 18then perform the authentication procedure as previously described, withthe exception that if the procedure fails, local security device 20 ispreferably not closed by security agent 18. Since local security device20 is completely local to computer 36, the level of protection andsecurity is as strong for computer 36 as for any computer 22 connectedto organizational network 12, with the exception that packets may be“sniffed” or intercepted through dial-up connection 38, particularly ifdial-up connection 38 includes a connection through the Internet. Suchpacket interception may be eliminated by providing an encryptionsoftware package at local security device 20 which encrypts all packetsbefore they are transmitted through dial-up connection 38. Securityagent 18 could then decrypt these packets before they are passed toorganizational network 12. Thus, the present invention provides a securesolution for access through a dial-up connection.

According to preferred features of this embodiment, the user is able toalter at least a portion of the rules according to which local securitydevice 20 accepts packets. As noted previously, preferably the user isonly able to alter one or more rules locally. More preferably, the useris only able to further restrict the rules according to which packetsare accepted, such that these rules become more restrictive. Such afeature is important for connecting to the Internet, for example, whichpresents a higher degree of security risk than a direct connection toorganizational network 12, for example.

In order to permit the user to more easily alter one or more functionsof local security device 20 attached to computer 36, preferably localsecurity device 20 provides a GUI (graphical user interface) interfaceto the user for display on computer 36. More preferably, this GUI isprovided as a Web page for display by a Web browser operated by computer36. The user enters one or more commands through this Web page, forexample through a CGI script, which are then transmitted through localsecurity device 20 as though to any different Web address, or URL(uniform resource locator). As described in greater detail below withregard to FIG. 3, local security device 20 is able to intercept thiscommunication by reading the packets during the filtration process.Local security device 20 then configures itself according to the one ormore commands entered by the user. Local security device 20 ispreferably capable of performing a minimal set of Web server functions,including operating CGI scripts and serving a limited number of Webpages from memory to computer 36. Thus, the user is able to effectively“browse into” local security device 20 itself in order to perform thesechanges.

FIG. 1B shows one particular embodiment of the present invention, forproviding a virtual private network, in more detail. A network 42 isshown as a flat LAN (local area network) for the purposes ofillustration only and without intending to be limiting in any way.Network 42 features a plurality of computers 22, each of which isconnected to network 42 through a local security device 20. All localsecurity devices 20 are controlled through security agent 18. Securityagent 18 configures each local security device 20 in order to provide aplurality of virtual private networks. As shown, all computers 22labeled with the same letter of the alphabet belong to one virtualprivate network, such that there are three such virtual privatenetworks: for computers 22 labeled “A”, “B” and/or “C”. FIG. 1B showsthat relative physical location is not important to determine thevirtual private network. Furthermore, each computer 22 can belong tomore than virtual private network, since one such computer 22 is labeledwith both “A” and “C”, indicating that it belongs to both the “A” and“C” virtual private networks. Access through each of the virtual privatenetworks is determined according to commands from security agent 18 tolocal security device 20, such that both the physical location and thetype of physical connection between computers 22 is not important.

FIG. 2 shows yet another embodiment of the present invention withmultiple security agents. A portion of a network 44 is shown for thepurposes of illustration only and without intending to be limiting inany way. Network 44 features a first security agent 46 and a secondsecurity agent 48, which are otherwise similar to security agent 18described previously. Network 44 includes a first sub-network 50,through which access is determined by first security agent 46; and asecond sub-network 52, through which access is determined by firstsecurity agent 48. A first computer 54 is connected to first sub-network50 through a first local security device 56. Similarly, a secondcomputer 58 is connected to second sub-network 52 through a second localsecurity device 60.

The embodiment shown in FIG. 2 solves a particular problem of backgroundart firewalls. These background art firewalls require the user to accessthe organizational network through a computer within the networkprotected by the firewall. If the user wishes to access theorganizational network through a different sub-network which is outsideof this firewall, for example through a different physical location, theuser is required to log-in through a different user account. Requiringdifferent user accounts is both complicated and tedious to administer,and may also lead to further weaknesses in the security system.

By contrast, the embodiment of FIG. 2 enables the user to log-in tonetwork 44 through a plurality of different sub-networks with a singleuser account. If the user normally accesses network 44 through firstsub-network 50, for example, then the user privileges are stored byfirst security agent 46. If the user then attempts to access network 44through second sub-network 52, then second security agent 48 queriesfirst security agent 46 with the identification information of the user.First security agent 46 then responds with the user privileges for thatuser. Thus, the user is able to access network 44 without requiring aseparate user account for each sub-network, since the security agentsautomatically query each other in order to determine the userprivileges.

FIG. 3 shows a particularly preferred embodiment of a local securitydevice according to the present invention. Although the local securitydevice of the present invention can be implemented as hardware,firmware, software or a combination thereof, preferably the presentinvention is implemented as firmware. As shown, a local security device62 includes a physical network access component 64 for accessing thenetwork. Physical network access component 64 could be substantially anytype of hardware network connector, including a network card such as anEthernet card, determined according to the network itself and whichcould easily be selected by one of ordinary skill in the art. Inaddition, local security device 62 includes a physical computer hardwareconnector 66 for connection to the local computer, which is preferablycompatible with the hardware slot intended for a network card.

Local security device 62 features a read/write memory 68 for storingfiltering rules from the security agent, as well as softwareinstructions for performing the filtering of the packets. Preferably,memory 68 is a permanent memory, such as a flash memory for example.More preferably, memory 68 also stores the limited set of Web serverfunctionalities as described for FIG. 1A and the Web pages served to thelocal computer. Memory 68 is connected to a microprocessor, preferablycontained in an ASIC (application specific integrated circuit) 70. ASIC70 would then perform the instructions stored in memory 68 for filteringthe packets and for performing the other functions according to thepresent invention. ASIC 70 is more preferably integrated with memory 68to form a single chip. An integrated flash memory and ASIC chip isavailable from Samsung, Inc. for example (Taeju, Korea). Such a firmwareembodiment is particularly preferable for local security device 62 sinceall of the computations required to implement the firewall are performedby local security device 62 rather than by the local computer itself,thereby reducing the, computational load on the local computer.

For this embodiment of the local security device, the security agentcould close all access to local security device 62, if theauthentication process fails for example, as follows. The security agentcould send a command to local security device 62 which would set a bitin memory 68 as “off”. Since such a setting is a hardware setting, itcould not be erased. No access would then be permitted through localsecurity device 62 until the security agent reset the bit of memory 68to “on”.

This embodiment of the present invention could also be separatelyimplemented as a “firewall on a chip”, with ASIC 70 and memory 68integrated on a single chip. This implementation would preferablyinclude the Web server functionalities for serving one or more Web pagesto the Web browser of the user, and for receiving one or more commandsfrom the user, as previously described. Thus, even though the firewallwould be implemented as firmware, it could easily be configured throughthese Web page(s).

It will be appreciated that the above descriptions are intended only toserve as examples, and that many other embodiments are possible withinthe spirit and the scope of the present invention.

What is claimed is:
 1. A system for local, distributed security for acomputer connected to a network, the network transmitting packets to andfrom the computer, the system comprising: (a) a local security devicefor connecting the computer to the network and for examining each packetto determine whether said packet is received by the computer accordingto at least one rule; and (b) a security agent for determining said atleast one rule for said local security device; wherein said localsecurity device includes: (i) a network hardware connector forconnecting to the network; (ii) a computer hardware connector forconnecting to the computer; (iii) a flash memory for storing said atleast one rule and for storing at least one software instruction forexamining each packet; and (iv) a microprocessor for performing said atleast one software instruction; and wherein said security agent closessaid local security device by altering a setting of a bit of said flashmemory.
 2. The system of claim 1, wherein said microprocessor iscontained within an ASIC (application specific integrated chip), andsaid ASIC and said flash memory are integrated in a single chip.
 3. Thesystem of claim 1, wherein said at least one rule determines whethersaid packet is received by the computer according to an address of saidpacket.
 4. The system of claim 3, wherein said address is selected fromthe group consisting of a link layer address and a network layeraddress.
 5. The system of claim 4, wherein said address is selected fromthe group consisting of a MAC address and an IP address.
 6. The systemof claim 3, wherein said at least one rule determines whether saidpacket is received by the computer according to a protocol of saidpacket.
 7. The system of claim 1, further comprising: (d) a dial-upconnection for connecting to the network; and (e) a modem for connectingsaid local security device to said dial-up connection, such that thecomputer connects to the network through said dial-up connection.
 8. Thesystem of claim 7, wherein said at least one rule is a plurality ofrules, including at least one user-configurable rule for determiningaccess by a packet to the computer of the user.
 9. A system for local,distributed security for a computer connected to a network, the networktransmitting packets to and from the computer, the system comprising:(a) a local security device for connecting the computer to the networkand for examining each packet to determine whether said packet isreceived by the computer according to at least one rule; (b) a securityagent for determining said at least one rule for said local securitydevice; and (c) a second local security device for sending and receivingpackets; wherein the computer is operated by a user, and said user sendsan identifier to said security agent through the computer to determinesaid at least one rule for said second local security device, such thatsaid security agent determines said at least one rule for said secondlocal security device according to said identifier of said user; (d) adial-up connection for connecting to the network; and (e) a modem forconnecting said local security device to said dial-up connection, suchthat the computer connects to the network through said dial-upconnection; wherein said at least one rule is a plurality of rules,including at least one user-configurable rule for determining access bya packet to the computer of the user; and wherein the computer of theuser operates a Web browser and said local security device furtherincludes: (i) at least one Web page for being displayed by said Webbrowser; and (ii) at least a portion of a set of Web serverfunctionalities for serving said at least one Web page and for acceptingat least one command from said user through said at least one Web page,such that said at least one user-configurable rule is determinedaccording to said at least one command.
 10. A system for local,distributed security for a computer connected to a network, the networktransmitting packets to and from the computer, the system comprising:(a) a local security device for connecting the computer to the networkand for examining each packet to determine whether said packet isreceived by the computer according to at least one rule; and (b) asecurity agent for determining said at least one rule for said localsecurity device. (c) a second local security device for sending andreceiving packets; wherein the computer is operated by a user, and saiduser sends an identifier to said security agent through the computer todetermine said at least one rule for said second local security device,such that said security agent determines said at least one rule for saidsecond local security device according to said identifier of said user;and (d) a second computer connected to said second local securitydevice; wherein said second local security device is configuredaccording to said at least one rule to accept a packet from the computerof the user, such that the computer of the user and said second computerare connected in a virtual private network.
 11. The system of claim 10,wherein said local security device includes: (i) a network hardwareconnector for connecting to the network; (ii) a computer hardwareconnector for connecting to the computer; (iii) a memory for storingsaid at least one rule and for storing at least one software instructionfor examining each packet; and (iv) a microprocessor for performing saidat least one software instruction.
 12. The system of claim 11, whereinsaid memory is a flash memory.
 13. The system of claim 12, wherein saidmicroprocessor is contained within an ASIC (application specificintegrated chip), and said ASIC and said flash memory are integrated ina single chip.
 14. The system of claim 11, wherein said at least onerule determines whether said packet is received by the computeraccording to an address of said packet.
 15. The system of claim 14,wherein said address is selected from the group consisting of a linklayer address and a network layer address.
 16. The system of claim 15,wherein said address is selected from the group consisting of a MACaddress and an IP address.
 17. The system of claim 14, wherein said atleast one rule determines whether said packet is received by thecomputer according to a protocol of said packet.
 18. The system of claim10, wherein said user sends said identifier to said security agentduring an authentication procedure, such that said security agentdetermines said at least one rule only if said authentication proceduresucceeds.
 19. The system of claim 18, wherein if said authenticationprocedure fails, said security agent closes said local security deviceto prevent further transmission of packets.
 20. The system of claim 10,further comprising: (e) a dial-up connection for connecting to thenetwork; and (f) a modem for connecting said local security device tosaid dial-up connection, such that the computer connects to the networkthrough said dial-up connection.
 21. The system of claim 20, whereinsaid at least one rule is a plurality of rules, including at least oneuser-configurable rule for determining access by a packet to thecomputer of the user.
 22. The system of claim 21, wherein the computerof the user operates a Web browser and said local security devicefurther includes: (i) at least one Web page for being displayed by saidWeb browser; and (ii) at least a portion of a set of Web serverfunctionalities for serving said at least one Web page and for acceptingat least one command from said user through said at least one Web page,such that said at least one user-configurable rule is determinedaccording to said at least one command.
 23. A system for local,distributed security for a computer connected to a network, the networktransmitting packets to and from the computer, the system comprising:(a) a local security device for connecting the computer to the networkand for examining each packet to determine whether said packet isreceived by the computer according to at least one rule; and (b) asecurity agent for determining said at least one rule for said localsecurity device: wherein a user has at least one access privilege storedon said security agent, the system further comprising: (c) a secondnetwork for transmitting packets; (d) a second computer for connectingto said second network; (e) a second local security device forconnecting said second computer to said second network and fordetermining access for each packet to said second computer according toat least one rule; and (f) a second security agent for controlling saidsecond local security device by determining said at least one rule, suchthat when said user accesses said second network through said secondlocal security device, said second security agent receives said at leastone rule from said security agent.
 24. The system of claim 23, whereinsaid local security device includes: (i) a network hardware connectorfor connecting to the network; (ii) a computer hardware connector forconnecting to the computer; (iii) a memory for storing said at least onerule and for storing at least one software instruction for examiningeach packet; and (iv) a microprocessor for performing said at least onesoftware instruction.
 25. The system of claim 24, wherein said memory isa flash memory.
 26. The system of claim 25, wherein said microprocessoris contained within an ASIC (application specific integrated chip), andsaid ASIC and said flash memory are integrated in a single chip.
 27. Thesystem of claim 23, wherein said at least one rule determines whethersaid packet is received by the computer according to an address of saidpacket.
 28. The system of claim 27, wherein said address is selectedfrom the group consisting of a link layer address and a network layeraddress.
 29. The system of claim 28, wherein said address is selectedfrom the group consisting of a MAC address and an IP address.
 30. Thesystem of claim 27, wherein said at least one rule determines whethersaid packet is received by the computer according to a protocol of saidpacket.
 31. The system of claim 23, wherein said user sends saididentifier to said security agent during an authentication procedure,such that said security agent determines said at least one rule only ifsaid authentication procedure succeeds.
 32. The system of claim 31,wherein if said authentication procedure fails, said security agentcloses said local security device to prevent further transmission ofpackets.
 33. The system of claim 23, further comprising: (g) a dial-upconnection for connecting to the network; and (g) a modem for connectingsaid local security device to said dial-up connection, such that thecomputer connects to the network through said dial-up connection. 34.The system of claim 33, wherein said at least one rule is a plurality ofrules, including at least one user-configurable rule for determiningaccess by a packet to the computer of the user.
 35. The system of claim34, wherein the computer of the user operates a Web browser and saidlocal security device further includes: (i) at least one Web page forbeing displayed by said Web browser; and (ii) at least a portion of aset of Web server functionalities for serving said at least one Web pageand for accepting at least one command from said user.
 36. A firewall ona single chip for providing security to a network, the networktransmitting packets, the firewall comprising: (a) a network hardwareconnector for connecting to the network; (b) a memory for storing atleast one rule and for storing at least one software instruction forexamining each packet; and (c) a microprocessor for performing said atleast one software instruction for examining each packet to determinewhether said packet is transmitted according to said at least one rule;wherein said at least one rule is configurable by a user and said memoryincludes: (i) at least one Web page for being displayed to said user;and (ii) at least a portion of a set of Web server functionalities forserving said at least one Web page and for accepting at least onecommand from said user through said at least one Web page, such thatsaid at least one rule is determined according to said at least onecommand.
 37. The firewall of claim 36, wherein said memory is a flashmemory.
 38. The firewall of claim 37, wherein said microprocessor iscontained within an ASIC (application specific integrated chip).
 39. Thesystem of claim 36, further comprising: (d) a further local securitydevice for sending and receiving packets; wherein the computer isoperated by a user, and said user sends an identifier to said securityagent through the computer to determine said at least one rule for saidsecond local security device, such that said security agent determinessaid at least one rule for said second local security device accordingto said identifier of said user.
 40. The system of claim 39, furthercomprising: (e) a further computer connected to said further localsecurity device; wherein said further local security device isconfigured according to said at least one rule to accept a packet fromthe computer of the user, such that the computer of the user and saidfurther computer are connected in a virtual private network.
 41. Asystem for local, distributed security for a computer connected to anetwork, the network transmitting packets to and from the computer, thesystem comprising: (a) a local security device for connecting thecomputer to the network and for examining each packet to determinewhether said packet is received by the computer according to at leastone rule; and (b) a security agent for determining said at least onerule for said local security device; and (c) a second local securitydevice for sending and receiving packets; wherein the computer isoperated by a user, and said user sends an identifier to said securityagent through the computer to determine said at least one rule for saidsecond local security device, such that said security agent determinessaid at least one rule for said second local security device accordingto said identifier of said user; wherein said user sends said identifierto said security agent during an authentication procedure, such thatsaid security determines said at least one rule only if saidauthentication procedure succeeds; wherein if said authenticationprocedure fails, said security agent closes said local security deviceto prevent further transmission of packets; and wherein said securityagent closes said local security device by altering a setting of a bitof said flash memory.
 42. The system of claim 41, wherein said localsecurity device includes: (i) a network hardware connector forconnecting to the network; (ii) a computer hardware connector forconnecting to the computer; and (iii) a microprocessor for performingsaid at least one software instruction.
 43. The system of claim 42,wherein said microprocessor is contained within an ASIC (applicationspecific integrated chip), and said ASIC and said flash memory areintegrated in a single chip.
 44. The system of claim 41, wherein said atleast one rule determines whether said packet is received by thecomputer according to an address of said packet.
 45. The system of claim44, wherein said address is selected from the group consisting of a linklayer address and a network layer address.
 46. The system of claim 45,wherein said address is selected from the group consisting of a MACaddress and an IP address.
 47. The system of claim 44, wherein said atleast one rule determines whether said packet is received by thecomputer according to a protocol of said packet.
 48. The system of claim41, further comprising: (d) a dial-up connection for connecting to thenetwork; and (e) a modem for connecting said local security device tosaid dial-up connection, such that the computer connects to the networkthrough said dial-up connection.
 49. The system of claim 48, whereinsaid at least one rule is a plurality of rules, including at least oneuser-configurable rule for determining access by a packet to thecomputer of the user.
 50. The system of claim 49, wherein the computerof the user operates a Web browser and said local security devicefurther includes: (i) at least one Web page for being displayed by saidWeb browser; and (ii) at least a portion of a set of Web serverfunctionalities for serving said at least one Web page and for acceptingat least one command from said user through said at least one Web page,such that said at least one user-configurable rule is determinedaccording to said at least one command.
 51. The system of claim 41,further comprising (d) a second computer connected to said second localsecurity device; wherein said second local security device is configuredaccording to said at least one rule to accept a packet from the computerof the user, such that the computer of the user and said second computerare connected in a virtual private network.